SAMLIssuerConfig.properties file

When creating a new SAML token, you can specify configuration properties to control how the token is configured. The configuration properties are stored in a properties file containing name/value pairs. The properties describe provider-side information such as the issuer location, and the keystore and truststore file paths.

Starting with WebSphere® Application Server version 8, you can also use the administrative console or the setSAMLIssuerConfigInBinding command task to specify a self-issued SAML token's configuration as custom properties in the requester's outbound configuration in the general bindings or in the application-specific bindings. You can also specify a self-issued SAML token's configuration as custom properties of com.ibm.websphere.wssecurity.wssapi.WSSGenerationContext objects when programming to Web Services Security (WSS) Application Programming interfaces (APIs). Migrate self-issued SAML token configuration data from the SAMLIssuerConfig.properties file to the bindings. Refer to the “Managing self-issue SAML token configuration using wsadmin commands” section for additional information.

The SAMLIssuerConfig.properties file usage is deprecated in WebSphere Application Server version 8. Do not specify a SAMLIssuerConfig.properties file using a Java System property. The com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory.newDefaultProviderConfig() method returns a com.ibm.wsspi.wssecurity.saml.config.ProviderConfig object with empty contents when no SAMLIssuerConfig.properties file is specified, which is the recommended programming style. Use ProviderConfig setter methods to populate its contents.

File Location

A single configuration file, SAMLIssuerConfig.properties, containing the provider-side properties is created and stored on each server. On a WebSphere server, the file is located in the server-level repository, or in the cell-level repository. In an environment that is not based on WebSphere, the file location is defined by a Java system property. The name of this property is com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath.

For example, the location of the file at the server level on a WebSphere server is:
app_server_root/profiles/$PROFILE/config/cells/$CELLNAME/nodes/$NODENAME/servers/$SERVERNAME/SAMLIssuerConfig.properties
The location of the file at the cell level on a WebSphere server is:
app_server_root/profiles/$PROFILE/config/cells/$CELLNAME/sts/SAMLIssuerConfig.properties

SAML token properties

The following table describes the provider configuration properties.
Table 1. Properties to configure provider information for a new SAML token. Use these properties to control how the token is created.
Property name Sample property value Property description
com.ibm.wsspi.wssecurity.dsig.oldEnvelopedSignature true Use only if you are setting the com.ibm.wsspi.wssecurity.dsig.enableEnvelopedSignatureProperty JVM custom property to true. See the topic Java Virtual Machine (JVM) custom properties for a description of when you might want to use this JVM custom property.
IssuerFormat urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName Value for the Format attribute of the Issuer element in the SAML token.
Note: If you want to add the Format attribute to the Issuer element, you must specify this property.
IssuerURI http://www.websphere.ibm.com/SAML/SelfIssuer The URI of the issuer.
TimeToLiveMilliseconds 3600000 Amount of time before expiration of the token.
KeyStoreRef [Updated in March 2013] name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode [Updated in March 2013]
mar2013
A reference to a managed keystore from security.xml.
KeyStorePath app_server_root/etc/ws-security/samples/dsig-receiver.ks The location of the keystore file.
Note: You must modify this value from the default value to match the path location for your system.
KeyStoreType JKS The keystore type.
KeyStorePassword password The password of the keystore file (the password must be XOR encoded). For more information, read about encoding passwords in files.
KeyAlias soapprovider The alias of the key as defined in the keystore file.
KeyName CN=SOAPProvider, OU=TRL, O=IBM, ST=Kanagawa, C=JP The name of the key as defined in the keystore file.
KeyPassword password The password of the private key as defined in the keystore file (the password must be XOR encoded).
TrustStoreRef [Updated in March 2013] name=myTrustStoreRef managementScope=(cell):myCell:(node):myNode [Updated in March 2013]
mar2013
A reference to a managed keystore from security.xml.
TrustStorePath app_server_root/etc/ws-security/samples/dsig-receiver.ks The location of the truststore file.
Note: You must modify this value from the default value to match the path location for your system.
TrustStoreType JKS The truststore type.
TrustStorePassword password The password of the truststore file.
AttributeProvider com.mycompany.SAML.AttributeProviderImpl Implementation class of attribute provider.
[Updated in March 2013]
Note: The class must implement javax.security.auth.callback.CallbackHandler. The class should receive the com.ibm.websphere.wssecurity.callbackhandler.Saml11AttributeCallback or com.ibm.websphere.wssecurity.callbackhandler.Saml20AttributeCallback callback object, then update the SAMLAttribute list received from the getSAMLAttributes method invoked from that object.
[Updated in March 2013]
mar2013

[Updated in August 2013] For more information, please refer to "Adding attributes to self-issued SAML tokens using the API." [Updated in August 2013]

aug2013

NameIDProvider com.mycompany.SAML.NameIDProviderImpl Implementation class of name ID provider.
[Updated in March 2013]
Note: The class must implement javax.security.auth.callback.CallbackHandler. The class should receive the com.ibm.websphere.wssecurity.callbackhandler.NameIDCallback callback object, then call the setSAMLNameID method on that object to update the NameID.
[Updated in March 2013]
mar2013

[Updated in August 2013] For more information, please refer to "Customizing the NameID for self-issued SAML tokens using the API." [Updated in August 2013]

aug2013

Example

See the following example of a SAML token configuration properties file:
IssuerURI=http://www.websphere.ibm.com/SAML/SelfIssuer
TimeToLiveMilliseconds=3600000
KeyStorePath=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
KeyStoreType=JKS
KeyStorePassword={xor}LDotKTot
KeyAlias=soapprovider
KeyName=CN=SOAPProvider, OU=TRL, O=IBM, ST=Kanagawa, C=JP
KeyPassword={xor}LDotKTot
TrustStorePath=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
TrustStoreType=JKS
TrustStorePassword={xor}LDotKTot 



Related tasks
Propagating SAML tokens
Encoding passwords in files
Managing self-issue SAML token configuration using wsadmin commands
Adding attributes to self-issued SAML tokens using the API
Customizing the NameID for self-issued SAML tokens using the API
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Feb 6, 2014 8:11:25 PM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-nd-mp&topic=rwbs_samltokenproperties
File name: rwbs_samltokenproperties.html